Assessing acceptable risk [Follow-up]

Every project in life makes us weigh pros and cons. Do we take the easy path at the risk of shoddy workmanship to only have to redo something later? Do we skimp out on some of the elements involved in order to save a few dollars? Should we get the job done the quickest way possible and forget about some of the risks and holes we may be leaving ourselves vulnerable to? Almost every project we do in life contains these types of questions. Whether it be building something around the house or getting new tires on the car. But what I’m focusing on is risk in software development.

Earlier today I mentioned I found a vulnerability in a popular, albeit niche, website. After carefully balancing on the fine, exhilarating, line that is my nerdy curiosity and an ethical reverse engineering I stopped my quest and reported what I saw to the site owners. Today I got a very polite response back.

Hello Dan,

We were definitely aware of the possibility of SQL injection during the development of the game. We have a number of safeguards built into the system, so even if you were able to successfully get a few SQL queries slipped through, there really isn’t a whole lot you could have done to compromise the data. You are correct though, in that we shouldn’t be inviting people to test that by sending the error data back. That has been corrected since, so thanks for pointing it out. I’m glad you’re enjoying the game, and good luck the rest of the way!

I was very appreciative of their email and actually more impressed they were able to fix the hole so quickly. (I have tested it and what he says is true). But the email addresses something we all struggle with from time to time. No matter what type of work we do. How much are we willing to let slide in order to finish a project. What are the factors that make us over look the risks. Is it time? Budget? The perceived idea that the risk is small? How do these factors very from project to project, or decision to decision?

No comments yet.

I’m not a builder. I don’t have the “handy” gene that most of the men in my family have. Instead, I have the nerd gene. The gene that makes me look at something online and wonder how it is done. How I would have done it differently or better. With that being said I realized…

The Charlotte Checkers are having a contest to name fan of the year. The prizes are awesome and I would love to win. All I have to do is write an essay of 200 words or less answering the question: “If you were talking to someone that had never been to a Checkers game before,…

In an earlier post, where I ranted about the Charlotte Oberserver’s lack of coverage of the local hockey team, I alluded to the fact that I find the sports section of the site done incorrectly. Or maybe I should just come out and say that I don’t like it. Here is where I’ll give my own personal opinions of what is wrong.

Its painfully obvious that I’ve never developed for android before. Its taking me forever to just get the basics down. Layouts, resources, databases, views, actions, intents, etc. Let alone coming up with an idea that is worth developing. Maybe it’s good I don’t have that million dollar idea yet so I’m not too frustrated and worried about it slipping through my fingers as I slowly learn this platform/environment/API.